|
||||||||
Hi, After some trial and error, I managed to create an IPSec tunnel between a m0n0wall box and a Cisco Router and traffic was flowing perfectly between the two networks. I went home, and left a technician on the remote side to set up his Windows Server in London to talk to our Windows Server here in Johannesburg, South Africa. He called me about an hour later informing me they had a power outage and the tunnel wasn't coming back up, I assumed I had forgotten to write the Cisco router's config, but turns out I had actually written it, but what I needed to do was restart the IPSec tunnel on my m0n0wall box. After Googling and searching through m0n0wall's archives I found that dasz, Mark and Sean seem to have the same/similar issue (http://m0n0.ch/wall/list/showmsg.php?id=231/34), but didn't seem to end up finding a solution. Seeing as I battled to find exact documentation for a m0n0wall IPSec connection specifically to a Cisco Router, figured I may as well to post it here for the next person trying the same thing, or something similiar: Router is a Cisco 837 from looks of things: ------------------------------------------------------------------- Cisco C837 (MPC857DSL) processor (revision 0x501) with 44237K/4915K bytes of mem ory. Processor board ID FOC08493FWZ (1775087769), with hardware revision 0000 CPU rev number 7 1 Ethernet interface 4 FastEthernet interfaces 1 ATM interface 128K bytes of NVRAM. 12288K bytes of processor board System flash (Read/Write) 2048K bytes of processor board Web flash (Read/Write) ------------------------------------------------------------------- Johannesburg LAN (m0n0wall on leased line) uses 192.168.7.0/24 London LAN (Cisco ADSL Router) uses 10.0.0.0/24 Here is the relevant config in regards to the IPSEC tunnel for the Cisco Router, doesn't seem to matter what kind of uplink you have, just that there is a "crypto map" command on the "public" interface of the device, in my case dialer1, I have omitted anything that is not really related to the tunnel: ------------------------------------------------------------------- crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key <shared-secret> address <m0n0wall-public-ipaddress> no-xauth crypto ipsec transform-set trans1 esp-3des esp-md5-hmac crypto map mymap 1 ipsec-isakmp set peer <m0n0wall-public-ipaddres> set transform-set trans1 match address 102 interface Dialer1 crypto map mymap access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.7.0 0.0.0.255 ------------------------------------------------------------------- We have a leased line in Johannesburg with a routed IP configured on the WAN of the m0n0wall box. This box has been doing 100% trouble-free NAT at this site for over a year, it has a cd-rom with m0n0wall on and a floppy disk for the config. I burnt the latest m0n0wall to CD, popped it in, restarted and the box just worked with the newer version :), I then selected IPSec under VPN, hit the "+" button, and used the following options: Interface: WAN Local subnet: Type: LAN Subnet Remote subnet: 10.0.0.0/24 Remote Gateway: <london-cisco-router-public-ip> Description: London Office Phase 1: Negotiation Mode: aggressive My identifier: My IP address: Encryption algorithm: 3DES Hash algorithm: MD5 DH key group: 2 Lifetime: 14400 Authentication method: pre-shared key Phase 2: Protocol: ESP Encryption algorithms: only 3DES selected Hash algorithms: only MD5 selected PFS key group: off Lifetime: 14400 While I have done routing and NAT on Cisco's for several years, I'm no Cisco certified engineer or anything, and never done IPSec before, so took me a while to work out the Cisco router config, but I seemed to get it working in the end. Problem is that if I do a restart of the Cisco, tunnel won't come back up until I either restart the m0n0wall box completely or click the "Save" button in the VPN->IPSec page. Ideally I need the system to bring itself back up after any interruptions, so any solution to this problem would be greatly appreciated. Many Thanks, Jonathan Lydall |